Open source is beneficial to system security

Open source is a hot topic for recent people. What impact will this have on information security? Which is more secure than open source and closed source? The author of this article made it clear that open source will improve information security.

In recent years, with open source software such as Linux and Apache more and more people's attention and love, the open source movement has caused a worldwide storm. However, we can often see some doubts about the security of OSS: "All the source code has been seen by hackers, what is there security to speak of?" "Open source means that hackers can find all the flaws in the code." "Someone even lists the equation:" Open Source = open the door of the information system = unsafe.

Open source in the end is unsafe

Those who think that open source is unsafe are generally based on the following considerations.

First, hackers can find the security holes in them

This view is premised on the premise that hackers will not identify security vulnerabilities in closed source software. But we just need to go to the Internet to look up security warnings and security recommendations related to the closed source software, and we'll know that this is obviously not true. For example, in December 1999, Todd Sabin announced on the Bugtraq mailing list that he had discovered a SYSKEY flaw in Windows NT that was discovered using the disassembler without the source code (as is known to all that Microsoft did not provide the source). In fact, most hackers don't necessarily need to have source code when they crack a program.

Two, open is not safe

Because for most people, security means hidden, secret, and not open. There is a proverb in cryptography that the security of a cryptographic algorithm should not depend on it being secret. History has shown that secret cryptographic algorithms will eventually be cracked. Today's cryptographic algorithms, such as AES, are mostly public, and their security strength depends on the length of the key used. This sentence can also be applied to the general security software. The algorithm can be used in reverse engineering, and the protocol can be resolved by analyzing technology. The hidden and secret things will eventually be discovered and published in the public. Therefore, it is largely impossible to achieve the goal of security by closeness and secrecy.

Third, open code no one notices

In one example, after the release of PGP 2.6, someone announced on the Bugtraq mailing list that a "bug" was found in one of the random number generators when the code was checked. This error is very small, but the assignment operator symbol (=) is used in the code that makes the difference or operation. This shows that "even if the code is open, no one will actually check" the idea is untenable, in the open source model, such a small error can be found, so that the serious error or the backdoor is not found the possibility of minimal.

Four, open source can be placed in the back door

This is theoretically true, but how do you put a backdoor or a trap in it? Because OSS uses code control systems to manage the code tree, and many people examine and analyze the code, and more importantly, the code itself means the author's personal reputation. Who wants to risk losing his reputation and reputation by placing a backdoor in open code? In contrast, closed-source software is easier to place back doors or traps, and the NSA key found in the Windows operating system is compelling evidence.

Open source can bring security

Closed-source software is no better than the security of Open-source software, and, conversely, OSS has the capacity and potential to provide better security, as evidenced by the following examples:

OpenBSD, currently one of the safest operating systems in the world, is an Open-source project. It is a branch of the BSD Uinx, security is its main design goal, it is based on NetBSD, spent dozens of years of time to review code formation. More importantly, it has never seen a remote vulnerability in three years under the default installation method.

Linux, the software Pride of the information age, has captured 25% of the server market in 2000. has been widely used in such as Yahoo, such as high performance requirements of the site, and has been IBM, HP and other large manufacturers of explicit support.

It turns out that open source software is more stable and secure than closed software. Also, open source code offers the following benefits:

First, open code helps you quickly modify errors

Since open code software is reviewed by thousands of developers around the world, it is time to discover and fix their errors. The average time spent by different software developers on Linux, Windows NT, and Solaris three operating systems has been statistically calculated from the errors found in them until they are corrected:

Software developer Red Hat Microsoft Sun
Software name Linux Windows NT Solaris
Error average time 11 days 16 days 89 days

Second, open code helps improve code quality

In a typical closed development project, the developer's personal responsibility and professional reputation are relatively limited, and more importantly, because the source code is closed, errors or errors may be quietly concealed by the developers; instead, every line of code written by the developers of Open source software embodies their reputation and reputation. Messy code can be criticized and even ridiculed by peers. Release the source code and let peer review, which is not possible in the closed source development.

Third, open source helps to promote security code development technology

Open source programmers often exchange ideas and solutions for problems encountered in development, they are happy to innovate and practice new theories about code security, and if a technology is found to be flawed, new technology will replace it, and the security of the new code is gradually improved as older, less secure code is gradually modified. While in closed development, the security of the software may give way to commercial interests. Developers may not focus on adopting or creating new security code development techniques because of constraints such as task timing or programming habits.

Open source is not a safe point

These do not mean that open source can solve the security problem, the open source model also has deficiencies.

Patching ≠ security

Some people think that as long as we open the source code, and the software constantly review the code and modify the vulnerability, eventually the software will become absolutely safe. Obviously, this view is biased because it regards software as a static thing. In fact, the software is evolving, dynamic development. By investigating the security vulnerabilities in Java, we can see that the security vulnerabilities found will be corrected, but with the increase in functionality, new security vulnerabilities will be introduced, apparently relying only on patching the software to achieve no security purpose.

Multi-eyeball effect ≠ safety

From a security perspective, one of the main benefits of OSS is the "multiple-eyeball effect", where many developers can review the code to quickly discover and modify the bugs. However, publishing the source code does not mean that all bugs can be removed, and even the widely censored Open-source software may have important, uncovered "bugs". For example, a wu-ftp (a file Transfer tool) that was found to have a buffer overflow problem was actually reviewed by a program master before it was published. In addition, relying solely on extraneous outsiders to check security-related code can pose many problems. For example, in some cases, the first person to find the error may be silent, and use this error for bad and even destructive purposes.

An open security model

Security system should not rely on the source code closed, and simple open source is not a panacea, then how to achieve security purposes? We recommend building the following open security model: Open Security model = Open Design + Secure Code technology + open Source + market incentive mechanism

Open design

The current trend of information development is that the system architecture has a highly scalable capability. The lack of a security feature design can lead to more attacks than an attack from an existing error. For example, Web browser support Plug-ins (plug-ins), because through open design, you can let peers to review the design, using formal theory, error hypothesis methods, as well as reading design documents, can be found in the design of errors, this is the development of security systems and software is a very important link.

Secure Code Technology

Now, most of the errors found by the Computer Emergency Response Team (CERT) are caused by the buffer overflow problem, because many software is written by C + GLib C library, and some of the features and functions they provide have security vulnerabilities. In fact, you can prevent such errors by using a programming language that has a type-correcting check feature, such as C + +. The use of modern programming languages that support exception handling can also remove many errors caused by competitive conditions.

Market incentive Mechanism

Overseas universities have conducted security evaluation tests on the Internet, they open the software source code, but later did not get any software security features of feedback. This also shows that writing code in the open source model is interesting to most people, but reading other people's code is rather tedious. In the open source model lacks the economic incentive mechanism in the non-open source model, how attracts the person to examine the code? This is going to make the market incentive work, a better way is to pay people to read code.